GHSA-r2c6-8jc8-g32w

Опубликовано: 02 фев. 2026

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-g8p2-7wf7-98mq. This link is maintained to preserve external references.

Original Description

OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.

Ссылки

https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq
https://nvd.nist.gov/vuln/detail/CVE-2026-25253
https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
https://openclaw.ai/blog

Пакеты

Наименование

clawdbot

npm

Затронутые версииВерсия исправления

< 2026.1.29

2026.1.29

8.8 High

CVSS3

Дефекты

CWE-669

8.8 High

CVSS3

Дефекты

CWE-669